From a746c8df31ed9f55516dd5c2109e908c86cc0ac1 Mon Sep 17 00:00:00 2001
From: mpl <mathieu.lonjaret@gmail.com>
Date: Tue, 13 Dec 2016 16:24:02 +0100
Subject: [PATCH] doc: TLS certificate configuration

Fixes #891

Change-Id: I90a7d7c6df90d0296856caed57a1c7cada2c1d74
---
 doc/server-config.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/doc/server-config.md b/doc/server-config.md
index c4b474ae7..764342813 100644
--- a/doc/server-config.md
+++ b/doc/server-config.md
@@ -28,12 +28,19 @@ This page documents the simple configuration mode.
   your Camlistore server. Useful for when running behind a reverse proxy.
   Should not end in a slash. e.g. `https://yourserver.example.com`
 
-* `https`: if "true", HTTPS is used
+* `https`: if "true", HTTPS is used.
 
   * `httpsCert`: path to the HTTPS certificate file. This is the public file.
     It should include the concatenation of any required intermediate certs as
     well.
   * `httpsKey`: path to the HTTPS private key file.
+  * If an explicit certificate and key are not provided, a certificate from
+    [Let's Encrypt](https://letsencrypt.org) is requested automatically if the
+    following conditions apply:
+     * A fully qualified domain name is specified in either `baseURL` or `listen`.
+     * Camlistore listens on port `443` in order to answer the TLS-SNI challenge
+       from Let's Encrypt.
+  * As a fallback, if no FQDN is found, a self-signed certificate is generated.
 
 * `identity`: your GPG fingerprint. A keypair is created for new users on
   start, but this may be changed if you know what you're doing.